What is HIPAA

What is HIPAA?

Congress passed HIPAA in 1996 and in the following years regulations were approved to enforce the statute. The federal agency charged with enforcement of HIPAA is the US Department of Health and Human Services’ Office of Civil Rights (OCR).

The regulations dealing with the release and protection of health information are known as the Privacy Rule and the Security Rule.

They established a “floor” for the protection of individually identifiable health information, and any state laws that do not have the same or greater level of protections or access are preempted by HIPAA.

What types of entities must comply with HIPAA?

HIPAA applies to and affects virtually all health care-related organizations which it refers to as “covered entities”. These covered entities include health plans, providers (such as hospitals, doctors labs, dentists, etc.) health care clearinghouses, and federal Medicare and State Medicaid programs. Other state and local government programs may be impacted too, even if they do not meet the definition of a covered entity. Furthermore, HIPAA regulates the use and disclosure of what it calls “protected health information” (PHI for short). PHI is defined as individually identifiable health information created or received by a covered entity that relates to the past, present or future physical or mental condition, provision of health care or payment for health care. PHI may be released by a covered entity if the purpose is for the treatment of the patient, payment for a health care provider's services or certain business operations of the covered entity.

HIPAA and the Indiana State Department of Health

The Indiana State Department of Health (ISDH) is a hybrid entity under HIPAA. This means that while the primary purpose of the ISDH is not to be a health care provider, health care plan or health care clearinghouse some of its components meet those definitions. The programs that can be classified as meeting HIPAA definitions of covered entities must comply with HIPAA's regulations.

The ISDH HIPAA covered programs are:

Breast and Cervical Cancer Program

Children’s Special Health Care Services Program

Genomics/Newborn Screening Program

Hemophilia Program

HIV Medical Services Program

At the current time, other ISDH programs are not required to comply with HIPAA, although other laws may apply to them and require protection of individuals’ information.

What is required by the Regulations?

Privacy and Confidentiality Standards – The HIPAA Privacy Rule created national standards for protecting an individual's medical records and other personal health information. The regulations established safeguards that health care providers and others must implement to protect the privacy of health information.

Security Rule - The Security Rule requires a series of administrative, technical, and physical security procedures that covered entities must implement to assure the confidentiality of electronic protected health information.

Electronic Health Transaction Standards - HIPAA requires every provider who conducts business electronically to use the same health care transactions, code sets, and identifiers.

If a covered entity engages in one or more of the following ten transactions electronically, the covered entity must comply with the standard for that transaction.

Health care claims or equivalent encounter information

Health care payment and remittance advice

Coordination of benefits

Health care claim status

Enrollment and disenrollment in a health plan

Eligibility for a health plan

Health plan premium payment

Referral certification and authorization

First report of injury

Health claims attachments

Unique Identifier - This component requires unique identifiers for employers, providers and health plans. Employers, providers and health plans must obtain standard national numbers from the Centers for Medicare and Medicaid Services (CMS) that identify them on standard transactions.

What are Your Patient Rights?

Individual Rights under HIPAA

Access to Information – a person can request and receive a copy of their health information and may request that copy be in electronic form. The covered entity may charge a reasonable fee for providing the copy either in paper or electronic form.

Amend information – a person may ask for their information to be amended to correct errors but covered entities are only responsible for making changes in the records that they created.

Accounting of disclosures – an individual may request a list of all the time that their information was released improperly.

Notice of Privacy Practices – an individual has the right to receive a written notice of privacy practices from covered entities that details rights of the individual and duties of the covered entity under HIPAA.